U.S.-based microblogging giant Twitter is sending out messages to users about a bug that may have sent private messages to unauthorized developers.
According to a number of Twitter users posting screenshots of the notification, the company identified a bug on September 10th, 2018 that may have sent direct messages or protected tweets “to Twitter developers who were not authorized to receive them.”
"If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer." https://t.co/MV3cDOV5an pic.twitter.com/VH6M7FvTKh
— Eli Grey (@sephr) September 21, 2018
Twitter said that the bug has been around since May 2017, but that the company “resolved it immediately upon discovering it.”
The bug itself was part of Twitter’s Account Activity API (AAAPI), which allows registered developers to “better support businesses and their communications with customers on Twitter.”
A tweet from the Twitter Support account added that the company hasn’t come across an instance where data actually was sent to the wrong person, but that the company also can’t “conclusively confirm it didn’t happen, so we’re telling potentially impacted people about the bug.”
We haven’t found an instance where data was sent to the incorrect party. But we can’t conclusively confirm it didn’t happen, so we’re telling potentially impacted people about the bug. If you were potentially involved, we’ll contact you today. We’re sorry that this happened.
— Twitter Support (@TwitterSupport) September 21, 2018
The bug reportedly affected fewer than one percent of Twitter users.